View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 27, 2019updated 28 Aug 2019 5:37pm

Imperva Hacked: Customer API Keys, SSL Certificates Stolen

Attack was disclosed by a third-party...

By CBR Staff Writer

Updated, corrected to clarify that EE is not using Imperva’s WAF product. (The company cites the mobile carrier as an early WAF adopter and user of another, unaffected product). 

Cloud security specialist Imperva says its Cloud Web Application Firewall (WAF) product has been hacked, with a “subset” of customers’ API keys and SSL certificates stolen in the attack which was discovered on August 20.

The Redwood Shores, California-based firm – which was bought by private equity giant Thoma Bravo for for $2.1 billion in October 2018 – says the breach was disclosed to it by a third-party. The company has yet to reveal details of that disclosure. 

Imperva’s WAF was previously known as Incapsula. The company describes it as “a key component of Imperva’s market-leading, full stack application security solution which brings defense-in-depth to a new level.”

CEO Chris Hylen wrote: “We want to be very clear that this data exposure is limited to our Cloud WAF product… Elements of our Incapsula customer database through September 15, 2017 were exposed. These included: email addresses; hashed and salted passwords. And for a subset of the Incapsula customers through September 15, 2017: API keys and customer-provided SSL certificates.”

Imperva Hacked: “Profoundly Regrets” Incident

Rich Mogull, founder of cloud security firm DisruptOps told Brian Krebs that stolen customer API keys and SSL certificates could, in a worst case scenario, allow an attacker “to intercept, view or modify traffic destined for an Incapsula client web site, and even to divert all traffic for that site to or through a site owned by the attacker.”

He added: They could modify any of the security Incapsula security settings, and if they got [the target’s SSL] certificate, that can potentially expose traffic. For a security-as-a-service provider like Imperva, this is the kind of mistake that’s up their with their worst nightmare.”

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

SensePost founder Charl van der Walt told Computer Business Review: “Conceptually, the attacker gets all the functionality the API keys offer, which might be as much as being logged in to the UI.  I can’t see at a glance what their API might offer, and no one else seems to know either. The comments I’ve seen are suggesting ‘not much’.

He added: “Abusing SSL keys requires some kind of Hacker In the Middle scenario, which is scary, but much less scalable.”

Imperva’s CEO told customers: “We continue to investigate this incident around the clock and have stood up a global, cross-functional team.”

Imperva has “implemented forced password rotations and 90-day expirations in our Cloud WAF product” he wrote today. (Critics may note that this is shutting the stable door after the horse has bolted and given the prevalence of credential stuffing/password re-use, may have been wise to implement earlier…)

See also: An Idiot’s Guide to Dealing with Hackers

The company says it is encouraging customers to:

CEO Chris Hylen added: “We profoundly regret that this incident occurred and will continue to share updates going forward.”

Computer Business Review has contacted the company with a number of further questions. The incident is the latest data breach involving a cybersecurity company. Earlier this year Trend Micro admitted it had also suffered a data breach following a widely publicised incident.

Read this: Trend Micro Admits it Was Hacked, Symantec Denies Claims of “Fxmsp” Breach

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU